Security

In this document

Introduction

Android is a modern mobile platform that was designed to be truly open. Android
applications make use of advanced hardware and software, as well as local and
served data, exposed through the platform to bring innovation and value to
consumers. To protect that value, the platform must offer an application
environment that ensures the security of users, data, applications, the device,
and the network.

Securing an open platform requires a robust security architecture and rigorous
security programs. Android was designed with multi-layered security that
provides the flexibility required for an open platform, while providing
protection for all users of the platform.

Android was designed with developers in mind. Security controls were designed
to reduce the burden on developers. Security-savvy developers can easily work
with and rely on flexible security controls. Developers less familiar with
security will be protected by safe defaults.

Android was designed with device users in mind. Users are provided visibility
into how applications work, and control over those applications. This design
includes the expectation that attackers would attempt to perform common
attacks, such as social engineering attacks to convince device users to install
malware, and attacks on third-party applications on Android. Android was
designed to both reduce the probability of these attacks and greatly limit the
impact of the attack in the event it was successful.

This documentation outlines the goals of the Android security program, describes the
fundamentals of the Android security architecture, and answers the most
pertinent questions for system architects and security analysts. This document
focuses on the security features of Android's core platform and does not
discuss security issues that are unique to specific applications, such as those
related to the browser or SMS application. Recommended best practices for
building Android devices, deploying Android devices, or developing applications
for Android are not the goal of this document and are provided elsewhere.

Background

Android provides an open source platform and application environment for mobile
devices.

The sections and pages below describe the security features of the Android
platform. Figure 1 summarizes the security components and considerations of
the various levels of the Android software stack. Each component assumes that
the components below are properly secured. With the exception of a small amount
of Android OS code running as root, all code above the Linux Kernel is
restricted by the Application Sandbox.

Figure 1: Android software stack.

The main Android platform building blocks are:

Device Hardware: Android runs on a wide range of hardware configurations
including smart phones, tablets, and set-top-boxes. Android is
processor-agnostic, but it does take advantage of some hardware-specific
security capabilities such as ARM v6 eXecute-Never.

Android Operating System: The core operating system is built on top of
the Linux kernel. All device resources, like camera functions, GPS data,
Bluetooth functions, telephony functions, network connections, etc. are
accessed through the operating system.

Android Application Runtime: Android applications are most often written
in the Java programming language and run in the Dalvik virtual machine.
However, many applications, including core Android services and applications
are native applications or include native libraries. Both Dalvik and native
applications run within the same security environment, contained within the
Application Sandbox. Applications get a dedicated part of the filesystem in
which they can write private data, including databases and raw files.

Android applications extend the core Android operating system. There are two
primary sources for applications:

Pre-Installed Applications: Android includes a set of pre-installed
applications including phone, email, calendar, web browser, and contacts. These
function both as user applications and to provide key device capabilities that
can be accessed by other applications. Pre-installed applications may be part
of the open source Android platform, or they may be developed by an OEM for a
specific device.

User-Installed Applications: Android provides an open development
environment supporting any third-party application. Google Play offers
users hundreds of thousands of applications.

Google provides a set of cloud-based services that are available to any
compatible Android device. The primary services are:

Google Play: Google Play is a collection of services that
allow users to discover, install, and purchase applications from their Android
device or the web. Google Play makes it easy for developers to reach Android
users and potential customers. Google Play also provides community review,
application license
verification, application security scanning, and other security services.

Android Updates: The Android update service delivers new capabilities and
security updates to Android devices, including updates through the web or over
the air (OTA).

Application Services: Frameworks that allow Android applications to use
cloud capabilities such as (backing
up) application
data and settings and cloud-to-device messaging
(C2DM)
for push messaging.

These services are not part of the Android Open Source Project and are out
of scope for this document. But they are relevant to the security of most
Android devices, so a related security document titled “Google Services for
Android: Security Overview” is available.